vulnerabilità

vulnerabilità
èunadebolezzacheconsenteadun
eventualeattaccantediridurrela
garanziadell’informazionediun
sistema.
vulnerabilità
èunadebolezzacheconsenteaduneventuale
attaccantediridurrela
garanziadell’informazione
diunsistema.
•
•
•
•
•
•
Integrità
Disponibilità
Riservatezza
Autorizzazione
Autenticazione
NonRipudio
vulnerabilità
• ISO27005
unasset (qualsiasicosaabbiavaloreperl’azienda)oungruppodi
asset chepossonoessere«sfruttati»(exploited)daunaopiù
minacce.
• IETFRFC2828
Undifetto ouna debolezza nella progettazione,
nell’implementazione onella gestione enell’operatività diun
sistema che può essere sfruttato perviolare i criteri disicurezza del
sistema stesso.
• ISACA
Unadebolezza nella progettazione,nell’implementazione e
nell’operatività onel controllo interno
Archividellevulnerabilità
• NationalVulnerability Database
https://nvd.nist.gov/
–
–
–
–
–
–
CVEVulnerabilities
Checklists
US-CERTAlerts
US-CERTVuln Notes
OVALQueries
CPENames
Provarelaricercasulsito
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
Provarelaricercasulsito
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
lafunzionevulnerabileè:
wp_validate_auth_cookie
nelfile:
wp-includes/pluggable.php
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
function wp_validate_auth_cookie($cookie=''){
if (empty($cookie)){
if (empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
list($username,$expiration,$hmac) =explode('|',$cookie);
$expired =$expiration;
//Allow agrace period forPOSTandAJAXrequests
if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD'])
$expired +=3600;
if ($expired <time())
return false;
$key =wp_hash($username.$expiration);
$hash =hash_hmac('md5', $username .$expiration,$key);
if ($hmac !=$hash )
return false;
$user =get_userdatabylogin($username);
if (!$user )
return false;
return $user->ID;
}
if (empty($cookie) ){
if (empty($_COOKIE[AUTH_COOKIE]))
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
1. Lafunzione richiede ilcookie
AUTH_COOKIEsenonspecificato
nellachiamata
2. Secomunque èvuoto escecon
falso
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
function wp_validate_auth_cookie($cookie=''){
if (empty($cookie) ){
if (empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
list($username,$expiration,$hmac)=explode('|',$cookie);
$expired =$expiration;
list(
$username,
$expiration,
$hmac)=explode('|', $cookie);
//Allow agrace period forPOSTandAJAXrequests
if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD'])
$expired +=3600;
if ($expired <time())
return false;
$key =wp_hash($username.$expiration);
$hash =hash_hmac('md5', $username .$expiration,$key);
if ($hmac !=$hash )
return false;
$user =get_userdatabylogin($username);
if (!$user )
return false;
return $user->ID;
}
1. Popolatrevariabiliconidatipresi
dalcookie
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
function wp_validate_auth_cookie($cookie=''){
if (empty($cookie) ){
if (empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
list($username,$expiration,$hmac) =explode('|',$cookie);
$expired =$expiration;
//Allow agrace period forPOSTandAJAXrequests
if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD'])
$expired +=3600;
if ($expired <time())
return false;
$key =wp_hash($username.$expiration);
$hash =hash_hmac('md5', $username .$expiration,$key);
if ($hmac !=$hash )
return false;
$user =get_userdatabylogin($username);
if (!$user )
return false;
return $user->ID;
}
$expired =$expiration;
//Allow agrace period forPOSTandAJAX
requests
if (defined('DOING_AJAX') ||'POST'==
$_SERVER['REQUEST_METHOD'])
$expired +=3600;
if ($expired <time())
return false;
1. Controllal’expiration delcookie
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
function wp_validate_auth_cookie($cookie=''){
if (empty($cookie) ){
if (empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
list($username,$expiration,$hmac) =explode('|',$cookie);
$expired =$expiration;
//Allow agrace period forPOSTandAJAXrequests
if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD'])
$expired +=3600;
if ($expired <time())
return false;
$key =wp_hash($username.$expiration);
$hash =hash_hmac('md5', $username .$expiration,$key);
if ($hmac !=$hash )
return false;
$user =get_userdatabylogin($username);
if (!$user )
return false;
return $user->ID;
}
$key =wp_hash($username.$expiration);
$hash =hash_hmac(
'md5',
$username.$expiration,
$key
);
If ($hmac !=$hash )
return false;
1. Lafunzione wp_hash crittografail
contenuto usandouna
SECRET_KEY
2. sel’HASH delcookienonè
«Valido» esceconfalso
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
function wp_validate_auth_cookie($cookie=''){
if (empty($cookie) ){
if (empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie=$_COOKIE[AUTH_COOKIE];
}
$user =get_userdatabylogin($username);
if (!$user )
return false;
list($username,$expiration,$hmac) =explode('|',$cookie);
$expired =$expiration;
//Allow agrace period forPOSTandAJAXrequests
if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD'])
$expired +=3600;
}
return $user->ID;
if ($expired <time())
return false;
$key =wp_hash($username.$expiration);
$hash =hash_hmac('md5', $username .$expiration,$key);
if ($hmac !=$hash )
return false;
$user =get_userdatabylogin($username);
if (!$user )
return false;
return $user->ID;
}
1. Seesisteuno user conilnomedel
cookieloattivauscendodalla
funzione conl’IDdell’utente
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
Lavulnerabilità:
$hash=hash_hmac('md5',$username.$expiration,$key);
Èpossibilegenerareunacollisione
$username
$expiration
HMAC($username.$expiration)
admin1
1353464343
1ba7d82099dd6119781b54ecf8b79259
admin
11353464343
1ba7d82099dd6119781b54ecf8b79259
CVE-2008-1930
Wordpress 2.5CookieIntegrityProtectionVulnerability
Lacorrezione:
$hash=hash_hmac('md5',$username.'|' .$expiration,$key);
Separarecorrettamenteivalori
Portapatens esto.Nulliclaudatur honesto
Portapatens estonulli.Claudatur honesto